SVG
Commentary
CNN

Encryption a Growing Threat to Security

Former Distinguished Fellow

Back in the 1970s and '80s, Americans asked private companies to divest from business dealings with the apartheid government of South Africa. In more recent years, federal and state law enforcement officials have asked -- and required -- Internet service providers to crack down on the production and distribution of child pornography. And banks and financial institutions are compelled to prevent money laundering by organized crime and terrorists finance networks.

All of this is against companies' bottom-line business interests, but it has been in the public interest. These actions were taken to protect the public and for the greater good. And all of it was done to mitigate a moral or physical hazard.

Take another example: Many communities implement landlord responsibility ordinances to hold them liable for criminal activity on their properties. This means that landlords have certain obligations to protect nearby property owners and renters to ensure there isn't illicit activity occurring on their property. Property management companies are typically required to screen prospective tenants. Just this spring, a family was awarded $12 million in damages against a property management company that failed to screen tenants prior to a shooting in the development.

The point of all these examples? That state and federal laws routinely act in the interest of public safety at home and abroad. Yet now, an emerging technology poses a serious threat to Americans -- and Congress and our government have failed to address it.

Technology companies are creating encrypted communication that protects their users' privacy in a way that prevents law enforcement, or even the companies themselves, from accessing the content. With this technology, a known ISIS bomb maker would be able to send an email from a tracked computer to a suspected radicalized individual under investigation in New York, and U.S. federal law enforcement agencies would not be able to see ISIS's attack plans.

Unfortunately, this scenario is not at all far-fetched. Recently, FBI Director James Comey testified before Congress that terror groups such as ISIS are using encrypted programs to hide their communications and recruiting messages from U.S. federal agencies. As a result, ISIS is aggressively targeting young Americans online -- and they are succeeding.

Let's think about that, because this reality could very well lead to attacks against Americans on American soil that could have been prevented if companies and Congress worked to find a solution.

What could a solution look like? The most obvious one is that U.S. tech companies keep a key to that encrypted communication for legitimate law enforcement purposes. In fact, they should feel a responsibility and a moral obligation to do so, or else they risk upending the balance between privacy and safety that we have so carefully cultivated in this country.

Unfortunately, the tech industry argues that Americans have an absolute right to absolute privacy. But while Americans absolutely do have a right to privacy, the Constitution both provides protections and offers a path for the government to pursue illegal behavior. Indeed, the criteria for securing a warrant is well established in the law, and we do not have to sacrifice Fourth Amendment protections to fix this growing problem. If technology companies build encryption systems where only they retain access, then when necessary, law enforcement would be able to follow the appropriate legal process to obtain the suspected bad actors' records. It is really that simple.

This is not the first time in America's history that private industry has been asked by society through law enforcement to strike the proper balance between profit and public interest. American companies should be able to make a profit and protect innocent users' privacy, while still allowing law enforcement to be able to catch the world's worst criminals and terrorists with time-tested legal measures.

If landlords have the moral responsibility to protect a community from illegal use of their property, shouldn't tech companies have the same moral responsibility to protect the broader online community from illegal use of their property?

So yes, the tech industry should continue to encrypt communications to offer citizens privacy. But they should also keep a master key, because it may one day save thousands of lives. Americans' privacy is protected every day by laws that prevent police from entering a criminal's home without a warrant. Why should the rules or risks be any different in cyberspace?

If we can work together on this difficult problem, I know we will find a solution. Let's not create a new threat for profit's sake.